Hello,

I am sharing my webserver with a few people (it's my server) and I am trying to create some sort of an admin panel for them. It has to be able to change Apache VirtualHosts and reload Apache. Now I can make the config-changing PHP code, but there are 2 Apache-related problems.

  • I want only my script / all scripts from my VirtualHost to be able to write to a specific directory. So I don't want other people to be able to write a simple PHP script to bypass my config script screw around with Apache config/
  • I want only my script / all scripts from my VirtualHost to be able to reload Apache (through a shell command). Again, I don't want other scripts to be able to do this.

I know of suPHP, but compiling that is not working, it's just very hard.

Running Apache 2.2 with PHP 5.3 on Debian Squeeze Linux.

-Lukas

Hmm, I didn't tested this, but you could use php-fpm to start a FastCGI socket and assign a specific uid and gid to it, read:

  1. http://wiki.apache.org/httpd/PHP-FPM
  2. http://php.net/manual/en/install.fpm.install.php
  3. http://www.php.net/manual/en/install.fpm.configuration.php
  4. http://www.howtoforge.com/using-php5-fpm-with-apache2-on-ubuntu-12.10

If you have linux ubuntu and PHP5 run:

sudo apt-get install php5-fpm libapache2-mod-fastcgi

then edit the php.ini related to fpm:

sudo nano /etc/php5/fpm/php.ini

And add a user and a group (previously created) specific for the FPM processes:

user string
group string

Change your scripts so they are owned by this new user and setup your virtual host to listen the FPM socket:

<VirtualHost *:80>
    ...
    <IfModule mod_fastcgi.c>
        AddHandler php5-fcgi .php
        Action php5-fcgi /php5-fcgi
        Alias /php5-fcgi /usr/lib/cgi-bin/php5-fcgi
        FastCgiExternalServer /usr/lib/cgi-bin/php5-fcgi -socket /var/run/php5-fpm.sock -pass-header Authorization
    </IfModule>
</VirtualHost>

So, at the end, the other virtual hosts will run the normal Server API: Apache 2.0 Handler and yours the FPM/FastCGI, you can check it with phpinfo(). Hope it helps, bye!

There is a flaw in my previous answer: if the other users are able to change their virtuahost, they can add the mod_fastcgi handler to their config file or to an .htaccess and override your scripts.

To fix this you could:

  • install php5-fpm
  • install Nginx
  • host your website in Nginx
  • make Nginx listen on a different port as 8000

So, you can use PHP-FastCGI through Nginx. Logically you have to remove mod_fastcgi and proxy_fcgi_module from Apache, so the users will not be able to add the handler or to redirect requests to FastCGI server.

To install Nginx run:

sudo apt-get install nginx

then create your virtual host:

sudo nano /etc/nginx/sites-available/my_server

and add a basic configuration:

server {
    listen 8000;
    server_name mywebsite.dev;

    access_log /var/log/nginx/mywebsite.access.log;
    root /var/www/mywebsite;

    location / {
            index index.php index.html index.htm;
    }

    location ~ \.php$ {
        include /etc/nginx/fastcgi_params;
        fastcgi_pass unix:/tmp/php.socket;
    }
}

Then save the file, enable it and reload the server:

sudo ln -s /etc/nginx/sites-available/mywebsite /etc/nginx/sites-enabled/mywebsite
sudo service nginx reload

Besides, I would run the users inside separated chroot environments, so they cannot access to your document root or each others, by simply changing theirs.

Question: .htaccess is not enough for your friends? You can do almost everything from there a part changing the DocumentRoot http://httpd.apache.org/docs/current/howto/htaccess.html

First, sorry for the late reaction. I'll have a look at this.
It will be enough for them to use a htaccess, but they have to be able to configure an x amount of websites (and make Apache redirect them to the right folder).
When this is running, I will disable shell access.

This is not really what I am looking for, each user has it's own Unix user (let's say "john"). John can log in to FTP and SSH using his Unix credentials.Now, his website has to be the same user he has (or a even better idea might me "john-httpd"). That way, I can add john-httpd to a group, and John can chgrp and chmod the group so that john-httpd can for example write to example.com/uploads, and John can still write everywhere he wants.

suPHP seems just exactly what I am looking for, however, I couldn't seem to compile it. I'll try again.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.